🐱‍👤 CredNinja – проверка достоверности дампа учетных данных или хэшей учетных данных

Обзоры

CredNinja – это инструмент для быстрой проверки достоверности учетных данных (или хэшей) по всей сети или домену.

Инструмент работает при предоставлении ему дампа списка учетных данных (или хэшей, он может передавать хэш), и списка систем в домене (автор предлагает сначала просканировать порт 445, или вы можете использовать “-scan”).

Он скажет вам, действительны ли учетные данные, которые вы сбросили, в домене, и есть ли у вас доступ локального администратора к хосту.

Использование CredNinja для проверки валидности дампа учетных данных или хэшей

  .d8888b.                       888 888b    888 d8b           d8b          

  d88P  Y88b                      888 8888b   888 Y8P           Y8P          

  888    888                      888 88888b  888                            

  888        888d888 .d88b.   .d88888 888Y88b 888 888 88888b.  8888  8888b.  

  888        888P"  d8P  Y8b d88" 888 888 Y88b888 888 888 "88b "888     "88b 

  888    888 888    88888888 888  888 888  Y88888 888 888  888  888 .d888888 

  Y88b  d88P 888    Y8b.     Y88b 888 888   Y8888 888 888  888  888 888  888 

   "Y8888P"  888     "Y8888   "Y88888 888    Y888 888 888  888  888 "Y888888

                                                                888          

                                                               d88P          

                                                             888P"           


                    v2.3 (Built 1/26/2018) - Chris King (@raikiasec)


                         For help: ./CredNinja.py -h


usage: CredNinja.py -a accounts_to_test.txt -s systems_to_test.txt

                    [-t THREADS] [--ntlm] [--valid] [--invalid] [-o OUTPUT]

                    [-p PASSDELIMITER] [--delay SECONDS %JITTER]

                    [--timeout TIMEOUT] [--stripe] [--scan]

                    [--scan-timeout SCAN_TIMEOUT] [-h] [--no-color] [--os]

                    [--domain] [--users] [--users-time USERS_TIME]


Quickly check the validity of multiple user credentials across multiple

servers and be notified if that user has local administrator rights on each

server.




Required Arguments:

  -a accounts_to_test.txt, --accounts accounts_to_test.txt

                        A word or file of user credentials to test. Usernames

                        are accepted in the form of "DOMAIN\USERNAME:PASSWORD"

  -s systems_to_test.txt, --servers systems_to_test.txt

                        A word or file of servers to test against. This can

 be a single system, a filename containing a list of

 systems, a gnmap file, or IP addresses in cidr notation.

 Each credential will be tested against each of these

                        servers by attempting to browse C$ via SMB


Optional Arguments:

  -t THREADS, --threads THREADS

                        Number of threads to use. Defaults to 10

  --ntlm                Treat the passwords as NTLM hashes and attempt to

                        pass-the-hash!

  --valid               Only print valid/local admin credentials

  --invalid             Only print invalid credentials

  -o OUTPUT, --output OUTPUT

                        Print results to a file

  -p PASSDELIMITER, --passdelimiter PASSDELIMITER

                        Change the delimiter between the account username and

                        password. Defaults to ":"

  --delay SECONDS %JITTER

                        Delay each request per thread by specified seconds

                        with jitter (example: --delay 20 10, 20 second delay

                        with 10% jitter)

  --timeout TIMEOUT     Amount of seconds wait for data before timing out.

                        Default is 15 seconds

  --stripe              Only test one credential on one host to avoid spamming

                        a single system with multiple login attempts (used to

                        check validity of credentials). This will randomly

                        select hosts from the provided host file.

  --scan                Perform a quick check to see port 445 is available on

                        the host before queueing it up to be processed

  --scan-timeout SCAN_TIMEOUT

                        Sets the timeout for the scan specified by --scan

                        argument. Default of 2 seconds

  -h, --help            Get help about this script's usage

  --no-color            Turns off output color. Written file is always

                        colorless


Additional Information Retrieval:

  --os                  Display the OS of the system if available (no extra

                        request is being sent)

  --domain              Display the primary domain of the system if available

                        (no extra request is being sent)

  --users               List the users that have logged in to the system in

                        the last 6 months (requires LOCAL ADMIN). Returns

                        usernames with the number of days since their home

                        directory was changed. This sends one extra request to

                        each host

  --users-time USERS_TIME

                        Modifies --users to search for users that have logged

                        in within the last supplied amount of days (default

                        100 days)

Инструмент действительно силен в больших сетях, где он может быстро разобрать большое количество хостов.

Он предназначен для запуска на Kali Linux.

¯\_(ツ)_/¯ Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.

Добавить комментарий